17-12
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 17 Monitoring and Troubleshooting the Firewall Services Module
Troubleshooting the Firewall Services Module
Symptom The context configuration was not saved, and was lost when you reloaded.
Possible Cause You did not save each context within the context execution space. If you are
configuring contexts at the command line, you did not save the context before you changed to the
next context.
Recommended Action Save each context within the context execution space using the copy run start
command. You cannot save contexts from the system execution space.
Symptom You cannot make a Telnet connection or SSH to the FWSM interface.
Possible Cause You did not enable Telnet or SSH to the FWSM.
Recommended Action Enable Telnet or SSH to the FWSM according to the “Allowing Telnet” section
on page 11-1 or the “Allowing SSH” section on page 11-2.
Symptom You cannot ping the FWSM interface.
Possible Cause You did not enable ICMP to the FWSM.
Recommended Action Enable ICMP to the FWSM according to the “Allowing ICMP to and from the
FWSM” section on page 11-10.
Symptom You cannot ping through the FWSM, even though the ACL allows it.
Possible Cause You did not enable the ICMP inspection engine or apply ACLs on both the source and
destination interfaces.
Recommended Action Because ICMP is a connectionless protocol, the FWSM does not automatically
allow returning traffic through. In addition to an ACL on the source interface, you either need to
apply an ACL to destination interface to allow replying traffic, or enable the ICMP inspection engine,
which treats ICMP connections as stateful connections.
Symptom Traffic does not go through the FWSM from a higher security interface to a lower security
interface.
Possible Cause You did not apply an ACL to the higher security interface to allow traffic through.
Unlike the PIX firewall, the FWSM does not automatically allow traffic to pass between interfaces.
Recommended Action Apply an ACL to the source interface to allow traffic through. See the “Adding
an Extended Access Control List” section on page 10-13.
Symptom Traffic does not pass between two interfaces on the same security level.
Possible Cause You did not enable the feature that allows traffic to pass between interfaces on the
same security level.
Recommended Action Enable this feature according to the “Allowing Communication Between
Interfaces on the Same Security Level” section on page 6-8.
To Next Page
Loading...
Need help?
General